Hello, yes, altough i personally never used HEADS productive, ive set it up, the last time is quite some time ago tough. I remember i had to troubleshoot quite a bit.
About petitboot, i just started to look into it myself, so i wont be much help there probably, what exactly are you trying to achieve? I will send you a grub.cfg which is working tomorrow morning, you will have to edit /adjust it tough.(either change the uuid in the config file ore the uuid of /boot ) I used kernelsigning, but i wasnt to happy with it in the long run, for usability, 2fa with one partition or /boot and /root encrypted so far is the best , we use it every day. Talking about usability, i highly recommend to add SEAbios as a secondary payload, at least if you want to boot live-usb from time to time. cheers On 9/18/18 3:20 PM, get wrote: > вторник, 18 сентября 2018 г., 20:16:10 UTC+3 пользователь Jonathan Seefelder > написал: >> yes its possible, do you want to encrypt /boot and /root separately so >> you will need a different password for each partition, or do you want to >> encrypt it all together with 2fa etc? >> >> The first one is relatively easy, you will have to modify the grub.cfg >> of your coreboot image.Also, the uuid will have to match, you can either >> do a "normal" install and change the uuid in the grub.cfg, or change the >> uuid of /root. >> >> check out the libreboot-side, there should be all the necessary >> information. I will write a tutorial some day. >> >> cheers >> >> >> On 9/18/18 1:02 PM, 'awokd' via qubes-users wrote: >> >>> get: >>>> FDE in my understanding this is a scheme partition look like >>>> >>>> sda 8:0 0 99999,9G 0 disk >>>> └─sda1 8:1 0 99999,9G 0 LUKS >>>> └──luks-<UUID> crypt >>>> ├─qubes_dom0-boot lvm /boot (encrypted) >>>> ├─qubes_dom0-swap lvm [SWAP] (encrypted) >>>> └─qubes_dom0-root lvm / (encrypted) >>>> >>>> FDE = cryptsetup whole disk (including /boot). Not only root partition. >>>> Anaconda can't do it by default. Installation success only with grub >>>> missing. >>>> OS research HEADS can't kexec into FDE disk. >>>> >>>> Is it only possible to boot from grub2 coreboot ? >>>> >>>> cryptomount -a >>>> set root='hd0,msdos1' >>>> linux=... vmlinuz=... >>>> >>>> I have been trying to do the coreboot firmware for a month already >>>> to get a load of Qubes with full disk encryption (including /boot). Is it >>>> possible? Can anyone help me ?:) >>> I've seen others on this list report it as successful, but haven't done >>> it myself. I think they had to use the Seabios payload for the initial >>> install, then switch to coreboot's grub2. Afraid that's about all I know... >>> >> -- >> Kind Regards >> Jonathan Seefelder >> CryptoGS IT-Security Solutions > Hi, Jonathan Seefelder. > > I'm looking for different ways of how to encrypt the whole disk (include > /boot) and load it using coreboot modifications. > > I know how to load this way Parabola FDE (include /boot) > > menuentry 'Linux-libre kernel' { > cryptomount -a (ahci0,msdos1) > set root='lvm/matrix-rootvol' > linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol > cryptdevice=/dev/sda1:root > initrd /boot/initramfs-linux-libre.img > } > > Is the same method for xen? > > Did you try Heads/Petitboot? > > https://www.raptorengineering.com/content/kb/1.html > https://github.com/osresearch/heads > > Did you try to add > https://en.wikipedia.org/wiki/PBKDF2 to grub use qubes FDE? > > Did you try add gpg keys? > > Thanks. > -- Kind Regards Jonathan Seefelder CryptoGS IT-Security Solutions -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6e9da4fd-befb-24cc-b8e3-ad52f1756c03%40seefelder-web.de. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature